gh0strat | c5ddaee7ad6047ed4395473b86693af38d8c2fefe2172ac09d7a68a90446d927

Analysis

max time kernel
141s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 05:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5ddaee7ad6047ed4395473b86693af38d8c2fefe2172ac09d7a68a90446d927.exe
Size

98KB
MD5

371bb78624d73e172a8a6e9a0faf4331
SHA1

24a4663d3b42d094a0b9b9c18b997663f12a8ffa
SHA256

c5ddaee7ad6047ed4395473b86693af38d8c2fefe2172ac09d7a68a90446d927
SHA512

69a13b07fa0cb5b949850419bca717f1388fa98733e0759edb5f5d66f9b2708a21345c1443c805f632184654b714da96c2819ecde97e8a52eaac65b632de39c4
SSDEEP

1536:SKFusSx9qYMhdFHS8qdydo3nTzhYxJA+CwNUtBZVY9v8prk23qlhzwYgD:SQS4jHS8q/3nTzePCwNUh4E9kBD+

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/files/0x0007000000022e46-139.dat	family_gh0strat
behavioral2/files/0x0007000000022e46-140.dat	family_gh0strat
behavioral2/memory/5004-141-0x0000000000400000-0x000000000044E380-memory.dmp	family_gh0strat
behavioral2/files/0x0007000000022e46-142.dat	family_gh0strat
behavioral2/files/0x0007000000022e46-144.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 1 IoCs

pid	Process
5004	lmfgoyjmxj

Loads dropped DLL 3 IoCs

pid	Process
4684	svchost.exe
1312	svchost.exe
4512	svchost.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\oftdijyirf	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\onivqmbgfa	svchost.exe
File created	C:\Windows\SysWOW64\onxbpviysl	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\onohnfpsfw	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1372	4684	WerFault.exe	84
3824	1312	WerFault.exe	87
3484	4512	WerFault.exe	90

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5004	lmfgoyjmxj
5004	lmfgoyjmxj

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeRestorePrivilege	5004	lmfgoyjmxj
Token: SeBackupPrivilege	5004	lmfgoyjmxj
Token: SeBackupPrivilege	5004	lmfgoyjmxj
Token: SeRestorePrivilege	5004	lmfgoyjmxj
Token: SeBackupPrivilege	4684	svchost.exe
Token: SeRestorePrivilege	4684	svchost.exe
Token: SeBackupPrivilege	4684	svchost.exe
Token: SeBackupPrivilege	4684	svchost.exe
Token: SeSecurityPrivilege	4684	svchost.exe
Token: SeSecurityPrivilege	4684	svchost.exe
Token: SeBackupPrivilege	4684	svchost.exe
Token: SeBackupPrivilege	4684	svchost.exe
Token: SeSecurityPrivilege	4684	svchost.exe
Token: SeBackupPrivilege	4684	svchost.exe
Token: SeBackupPrivilege	4684	svchost.exe
Token: SeSecurityPrivilege	4684	svchost.exe
Token: SeBackupPrivilege	4684	svchost.exe
Token: SeRestorePrivilege	4684	svchost.exe
Token: SeBackupPrivilege	1312	svchost.exe
Token: SeRestorePrivilege	1312	svchost.exe
Token: SeBackupPrivilege	1312	svchost.exe
Token: SeBackupPrivilege	1312	svchost.exe
Token: SeSecurityPrivilege	1312	svchost.exe
Token: SeSecurityPrivilege	1312	svchost.exe
Token: SeBackupPrivilege	1312	svchost.exe
Token: SeBackupPrivilege	1312	svchost.exe
Token: SeSecurityPrivilege	1312	svchost.exe
Token: SeBackupPrivilege	1312	svchost.exe
Token: SeBackupPrivilege	1312	svchost.exe
Token: SeSecurityPrivilege	1312	svchost.exe
Token: SeBackupPrivilege	1312	svchost.exe
Token: SeRestorePrivilege	1312	svchost.exe
Token: SeBackupPrivilege	4512	svchost.exe
Token: SeRestorePrivilege	4512	svchost.exe
Token: SeBackupPrivilege	4512	svchost.exe
Token: SeBackupPrivilege	4512	svchost.exe
Token: SeSecurityPrivilege	4512	svchost.exe
Token: SeSecurityPrivilege	4512	svchost.exe
Token: SeBackupPrivilege	4512	svchost.exe
Token: SeBackupPrivilege	4512	svchost.exe
Token: SeSecurityPrivilege	4512	svchost.exe
Token: SeBackupPrivilege	4512	svchost.exe
Token: SeBackupPrivilege	4512	svchost.exe
Token: SeSecurityPrivilege	4512	svchost.exe
Token: SeBackupPrivilege	4512	svchost.exe
Token: SeRestorePrivilege	4512	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 5004	1716	c5ddaee7ad6047ed4395473b86693af38d8c2fefe2172ac09d7a68a90446d927.exe	82
PID 1716 wrote to memory of 5004	1716	c5ddaee7ad6047ed4395473b86693af38d8c2fefe2172ac09d7a68a90446d927.exe	82
PID 1716 wrote to memory of 5004	1716	c5ddaee7ad6047ed4395473b86693af38d8c2fefe2172ac09d7a68a90446d927.exe	82

C:\Users\Admin\AppData\Local\Temp\c5ddaee7ad6047ed4395473b86693af38d8c2fefe2172ac09d7a68a90446d927.exe
"C:\Users\Admin\AppData\Local\Temp\c5ddaee7ad6047ed4395473b86693af38d8c2fefe2172ac09d7a68a90446d927.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1716
- \??\c:\users\admin\appdata\local\lmfgoyjmxj
  "C:\Users\Admin\AppData\Local\Temp\c5ddaee7ad6047ed4395473b86693af38d8c2fefe2172ac09d7a68a90446d927.exe" a -sc:\users\admin\appdata\local\temp\c5ddaee7ad6047ed4395473b86693af38d8c2fefe2172ac09d7a68a90446d927.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5004

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4684
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 848
  2⤵
  - Program crash
  PID:1372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4684 -ip 4684
1⤵
PID:1100

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 1112
  2⤵
  - Program crash
  PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1312 -ip 1312
1⤵
PID:4144

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4512
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 1112
  2⤵
  - Program crash
  PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4512 -ip 4512
1⤵
PID:344

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Storm\update\%SESSIONNAME%\slijv.cc3

Filesize
22.0MB

MD5
6bbcb059c23a1e5c60e828c02087d755

SHA1
7ea54b7a821dc8aac1c92eb58fd4b588cbd132da

SHA256
d696798d2905b7c003c1dc706cc0671474e4e1c8594c9a53e839b171716b0aeb

SHA512
1c315cc3ecb7fd32f0a5eec5fa958223a13f84ecb433e1cb5aa3cb81a708f52b489ba0daec2d1edcf75beea75ca599cc09e38c2e7a34c8a01d11c99ac9b2d9a7

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\slijv.cc3

Filesize
22.0MB

MD5
6bbcb059c23a1e5c60e828c02087d755

SHA1
7ea54b7a821dc8aac1c92eb58fd4b588cbd132da

SHA256
d696798d2905b7c003c1dc706cc0671474e4e1c8594c9a53e839b171716b0aeb

SHA512
1c315cc3ecb7fd32f0a5eec5fa958223a13f84ecb433e1cb5aa3cb81a708f52b489ba0daec2d1edcf75beea75ca599cc09e38c2e7a34c8a01d11c99ac9b2d9a7

Download Submit
C:\ProgramData\Storm\update\%SESSIONNAME%\slijv.cc3

Filesize
22.0MB

MD5
6bbcb059c23a1e5c60e828c02087d755

SHA1
7ea54b7a821dc8aac1c92eb58fd4b588cbd132da

SHA256
d696798d2905b7c003c1dc706cc0671474e4e1c8594c9a53e839b171716b0aeb

SHA512
1c315cc3ecb7fd32f0a5eec5fa958223a13f84ecb433e1cb5aa3cb81a708f52b489ba0daec2d1edcf75beea75ca599cc09e38c2e7a34c8a01d11c99ac9b2d9a7

Download Submit
C:\Users\Admin\AppData\Local\lmfgoyjmxj

Filesize
19.5MB

MD5
6e89858005eb89314bbea03dfdadacab

SHA1
697a09f562bc51b06e5dcceb625a08d37303056c

SHA256
291c8a6dd96b8e20d81bc5e39c1a7860dab32bfa3912afb5b101d6d1a44adca7

SHA512
b80187d5d43534162e057438d6681411c07624de5cd29c320f0b200c54564c6a36eee7ebd04dc748176299966610c2e2e3826da42fa53f03b22403ad8bc67771

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
202B

MD5
bda69baee1b37bc70404364ee84d51fa

SHA1
662c96c3c50368dd58025b4d602b5347d27b16e6

SHA256
65e28aa5c20b3a06affc363356f78025e3414a94b1845db651061e3058a46b50

SHA512
c23487f3488f8f7576871b14dd416daf6d88045ce731e0c50feb32a998347cfe421fcfd9ccd3476b625f4a4ccc28ca3ca343c2d682c40defc55949a9ac90a2df

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
303B

MD5
c1fb1202488465369091a31768e875ed

SHA1
a084fc22612e1d7024f133af15c15cb79a406b92

SHA256
8a4b8724bec94eb6f5ea8e96ff1fd7dd7ba6794d3b95099938d74ab204f30592

SHA512
a1bc11c59c174ea89ca5c8040cb400aa4d7a6e60341be074a0f5588c6f29d0e4a2fdc14f8ad04e07bba85cda89655ae4c829ef325fd03e7d38843ef64223d319

Download Submit
\??\c:\programdata\application data\storm\update\%sessionname%\slijv.cc3

Filesize
22.0MB

MD5
6bbcb059c23a1e5c60e828c02087d755

SHA1
7ea54b7a821dc8aac1c92eb58fd4b588cbd132da

SHA256
d696798d2905b7c003c1dc706cc0671474e4e1c8594c9a53e839b171716b0aeb

SHA512
1c315cc3ecb7fd32f0a5eec5fa958223a13f84ecb433e1cb5aa3cb81a708f52b489ba0daec2d1edcf75beea75ca599cc09e38c2e7a34c8a01d11c99ac9b2d9a7

Download Submit
\??\c:\users\admin\appdata\local\lmfgoyjmxj

Filesize
19.5MB

MD5
6e89858005eb89314bbea03dfdadacab

SHA1
697a09f562bc51b06e5dcceb625a08d37303056c

SHA256
291c8a6dd96b8e20d81bc5e39c1a7860dab32bfa3912afb5b101d6d1a44adca7

SHA512
b80187d5d43534162e057438d6681411c07624de5cd29c320f0b200c54564c6a36eee7ebd04dc748176299966610c2e2e3826da42fa53f03b22403ad8bc67771

Download Submit
memory/1716-135-0x0000000000400000-0x000000000044E380-memory.dmp

Filesize
312KB

Download
memory/1716-132-0x0000000000400000-0x000000000044E380-memory.dmp

Filesize
312KB

Download
memory/5004-138-0x0000000000400000-0x000000000044E380-memory.dmp

Filesize
312KB

Download
memory/5004-141-0x0000000000400000-0x000000000044E380-memory.dmp

Filesize
312KB

Download
memory/5004-137-0x0000000000400000-0x000000000044E380-memory.dmp

Filesize
312KB

Download
memory/5004-133-0x0000000000000000-mapping.dmp

Download